• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2018 Google Inc.
3  *
4  * Use of this source code is governed by a BSD-style license that can be
5  * found in the LICENSE file.
6  */
7 
8 #include "Fuzz.h"
9 #include "FuzzCommon.h"
10 
11 // We don't always want to test NaNs and infinities.
fuzz_nice_float(Fuzz * fuzz,float * f)12 static void fuzz_nice_float(Fuzz* fuzz, float* f) {
13     float v;
14     fuzz->next(&v);
15     constexpr float kLimit = 1.0e35f;  // FLT_MAX?
16     *f = (v == v && v <= kLimit && v >= -kLimit) ? v : 0.0f;
17 }
18 
19 template <typename... Args>
fuzz_nice_float(Fuzz * fuzz,float * f,Args...rest)20 static void fuzz_nice_float(Fuzz* fuzz, float* f, Args... rest) {
21     fuzz_nice_float(fuzz, f);
22     fuzz_nice_float(fuzz, rest...);
23 }
24 
fuzz_nice_rect(Fuzz * fuzz,SkRect * r)25 static void fuzz_nice_rect(Fuzz* fuzz, SkRect* r) {
26     fuzz_nice_float(fuzz, &r->fLeft, &r->fTop, &r->fRight, &r->fBottom);
27     r->sort();
28 }
29 
30 // allows some float values for path points
FuzzNicePath(Fuzz * fuzz,SkPath * path,int maxOps)31 void FuzzNicePath(Fuzz* fuzz, SkPath* path, int maxOps) {
32     if (maxOps <= 0 || fuzz->exhausted() || path->countPoints() > 100000) {
33         return;
34     }
35     uint8_t fillType;
36     fuzz->nextRange(&fillType, 0, (uint8_t)SkPath::kInverseEvenOdd_FillType);
37     path->setFillType((SkPath::FillType)fillType);
38     uint8_t numOps;
39     fuzz->nextRange(&numOps, 0, maxOps);
40     for (uint8_t i = 0; i < numOps; ++i) {
41         // When we start adding the path to itself, the fuzzer can make an
42         // exponentially long path, which causes timeouts.
43         if (path->countPoints() > 100000) {
44             return;
45         }
46         // How many items in the switch statement below.
47         constexpr uint8_t PATH_OPERATIONS = 32;
48         uint8_t op;
49         fuzz->nextRange(&op, 0, PATH_OPERATIONS);
50         bool test;
51         SkPath p;
52         SkMatrix m;
53         SkRRect rr;
54         SkRect r;
55         SkPath::Direction dir;
56         unsigned int ui;
57         SkScalar a, b, c, d, e, f;
58         switch (op) {
59             case 0:
60                 fuzz_nice_float(fuzz, &a, &b);
61                 path->moveTo(a, b);
62                 break;
63             case 1:
64                 fuzz_nice_float(fuzz, &a, &b);
65                 path->rMoveTo(a, b);
66                 break;
67             case 2:
68                 fuzz_nice_float(fuzz, &a, &b);
69                 path->lineTo(a, b);
70                 break;
71             case 3:
72                 fuzz_nice_float(fuzz, &a, &b);
73                 path->rLineTo(a, b);
74                 break;
75             case 4:
76                 fuzz_nice_float(fuzz, &a, &b, &c, &d);
77                 path->quadTo(a, b, c, d);
78                 break;
79             case 5:
80                 fuzz_nice_float(fuzz, &a, &b, &c, &d);
81                 path->rQuadTo(a, b, c, d);
82                 break;
83             case 6:
84                 fuzz_nice_float(fuzz, &a, &b, &c, &d, &e);
85                 path->conicTo(a, b, c, d, e);
86                 break;
87             case 7:
88                 fuzz_nice_float(fuzz, &a, &b, &c, &d, &e);
89                 path->rConicTo(a, b, c, d, e);
90                 break;
91             case 8:
92                 fuzz_nice_float(fuzz, &a, &b, &c, &d, &e, &f);
93                 path->cubicTo(a, b, c, d, e, f);
94                 break;
95             case 9:
96                 fuzz_nice_float(fuzz, &a, &b, &c, &d, &e, &f);
97                 path->rCubicTo(a, b, c, d, e, f);
98                 break;
99             case 10:
100                 fuzz_nice_float(fuzz, &a, &b, &c, &d, &e);
101                 path->arcTo(a, b, c, d, e);
102                 break;
103             case 11:
104                 fuzz_nice_float(fuzz, &a, &b);
105                 fuzz_nice_rect(fuzz, &r);
106                 fuzz->next(&test);
107                 path->arcTo(r, a, b, test);
108                 break;
109             case 12:
110                 path->close();
111                 break;
112             case 13:
113                 fuzz_nice_rect(fuzz, &r);
114                 fuzz->nextRange(&ui, 0, 1);
115                 dir = static_cast<SkPath::Direction>(ui);
116                 path->addRect(r, dir);
117                 break;
118             case 14:
119                 fuzz->nextRange(&ui, 0, 1);
120                 dir = static_cast<SkPath::Direction>(ui);
121                 fuzz_nice_rect(fuzz, &r);
122                 fuzz->next(&ui);
123                 path->addRect(r, dir, ui);
124                 break;
125             case 15:
126                 fuzz->nextRange(&ui, 0, 1);
127                 dir = static_cast<SkPath::Direction>(ui);
128                 fuzz_nice_rect(fuzz, &r);
129                 path->addOval(r, dir);
130                 break;
131             case 16:
132                 fuzz->nextRange(&ui, 0, 1);
133                 dir = static_cast<SkPath::Direction>(ui);
134                 fuzz_nice_rect(fuzz, &r);
135                 fuzz->next(&ui);
136                 path->addOval(r, dir, ui);
137                 break;
138             case 17:
139                 fuzz->nextRange(&ui, 0, 1);
140                 dir = static_cast<SkPath::Direction>(ui);
141                 fuzz_nice_float(fuzz, &a, &b, &c);
142                 path->addCircle(a, b, c, dir);
143                 break;
144             case 18:
145                 fuzz_nice_rect(fuzz, &r);
146                 fuzz_nice_float(fuzz, &a, &b);
147                 path->addArc(r, a, b);
148                 break;
149             case 19:
150                 fuzz_nice_float(fuzz, &a, &b);
151                 fuzz_nice_rect(fuzz, &r);
152                 fuzz->nextRange(&ui, 0, 1);
153                 dir = static_cast<SkPath::Direction>(ui);
154                 path->addRoundRect(r, a, b, dir);
155                 break;
156             case 20:
157                 FuzzNiceRRect(fuzz, &rr);
158                 fuzz->nextRange(&ui, 0, 1);
159                 dir = static_cast<SkPath::Direction>(ui);
160                 path->addRRect(rr, dir);
161                 break;
162             case 21:
163                 fuzz->nextRange(&ui, 0, 1);
164                 dir = static_cast<SkPath::Direction>(ui);
165                 FuzzNiceRRect(fuzz, &rr);
166                 path->addRRect(rr, dir, ui);
167                 break;
168             case 22: {
169                 fuzz->nextRange(&ui, 0, 1);
170                 SkPath::AddPathMode mode = static_cast<SkPath::AddPathMode>(ui);
171                 FuzzNiceMatrix(fuzz, &m);
172                 FuzzNicePath(fuzz, &p, maxOps-1);
173                 path->addPath(p, m, mode);
174                 break;
175             }
176             case 23: {
177                 fuzz->nextRange(&ui, 0, 1);
178                 SkPath::AddPathMode mode = static_cast<SkPath::AddPathMode>(ui);
179                 FuzzNiceMatrix(fuzz, &m);
180                 path->addPath(*path, m, mode);
181                 break;
182             }
183             case 24:
184                 FuzzNicePath(fuzz, &p, maxOps-1);
185                 path->reverseAddPath(p);
186                 break;
187             case 25:
188                 path->addPath(*path);
189                 break;
190             case 26:
191                 path->reverseAddPath(*path);
192                 break;
193             case 27:
194                 fuzz_nice_float(fuzz, &a, &b);
195                 path->offset(a, b, path);
196                 break;
197             case 28:
198                 FuzzNicePath(fuzz, &p, maxOps-1);
199                 fuzz_nice_float(fuzz, &a, &b);
200                 p.offset(a, b, path);
201                 break;
202             case 29:
203                 FuzzNiceMatrix(fuzz, &m);
204                 path->transform(m, path);
205                 break;
206             case 30:
207                 FuzzNicePath(fuzz, &p, maxOps-1);
208                 FuzzNiceMatrix(fuzz, &m);
209                 p.transform(m, path);
210                 break;
211             case 31:
212                 fuzz_nice_float(fuzz, &a, &b);
213                 path->setLastPt(a, b);
214                 break;
215             case PATH_OPERATIONS:
216                 path->shrinkToFit();
217                 break;
218 
219             default:
220                 SkASSERT(false);
221                 break;
222         }
223         SkASSERTF(       path->isValid(),        "path->isValid() failed at op %d, case %d", i, op);
224     }
225 }
226 
227 // allows all float values for path points
FuzzEvilPath(Fuzz * fuzz,SkPath * path,int last_verb)228 void FuzzEvilPath(Fuzz* fuzz, SkPath* path, int last_verb) {
229   while (!fuzz->exhausted()) {
230     // Use a uint8_t to conserve bytes.  This makes our "fuzzed bytes footprint"
231     // smaller, which leads to more efficient fuzzing.
232     uint8_t operation;
233     fuzz->next(&operation);
234     SkScalar a,b,c,d,e,f;
235 
236     switch (operation % (last_verb + 1)) {
237       case SkPath::Verb::kMove_Verb:
238         fuzz->next(&a, &b);
239         path->moveTo(a, b);
240         break;
241 
242       case SkPath::Verb::kLine_Verb:
243         fuzz->next(&a, &b);
244         path->lineTo(a, b);
245         break;
246 
247       case SkPath::Verb::kQuad_Verb:
248         fuzz->next(&a, &b, &c, &d);
249         path->quadTo(a, b, c, d);
250         break;
251 
252       case SkPath::Verb::kConic_Verb:
253         fuzz->next(&a, &b, &c, &d, &e);
254         path->conicTo(a, b, c, d, e);
255         break;
256 
257       case SkPath::Verb::kCubic_Verb:
258         fuzz->next(&a, &b, &c, &d, &e, &f);
259         path->cubicTo(a, b, c, d, e, f);
260         break;
261 
262       case SkPath::Verb::kClose_Verb:
263         path->close();
264         break;
265 
266       case SkPath::Verb::kDone_Verb:
267         // In this case, simply exit.
268         return;
269     }
270   }
271 }
272 
FuzzNiceRRect(Fuzz * fuzz,SkRRect * rr)273 void FuzzNiceRRect(Fuzz* fuzz, SkRRect* rr) {
274     SkRect r;
275     fuzz_nice_rect(fuzz, &r);
276 
277     SkVector radii[4];
278     for (SkVector& vec : radii) {
279         fuzz->nextRange(&vec.fX, 0.0f, 1.0f);
280         vec.fX *= 0.5f * r.width();
281         fuzz->nextRange(&vec.fY, 0.0f, 1.0f);
282         vec.fY *= 0.5f * r.height();
283     }
284     rr->setRectRadii(r, radii);
285     SkASSERT(rr->isValid());
286 }
287 
FuzzNiceMatrix(Fuzz * fuzz,SkMatrix * m)288 void FuzzNiceMatrix(Fuzz* fuzz, SkMatrix* m) {
289     constexpr int kArrayLength = 9;
290     SkScalar buffer[kArrayLength];
291     int matrixType;
292     fuzz->nextRange(&matrixType, 0, 4);
293     switch (matrixType) {
294         case 0:  // identity
295             *m = SkMatrix::I();
296             return;
297         case 1:  // translate
298             fuzz->nextRange(&buffer[0], -4000.0f, 4000.0f);
299             fuzz->nextRange(&buffer[1], -4000.0f, 4000.0f);
300             *m = SkMatrix::MakeTrans(buffer[0], buffer[1]);
301             return;
302         case 2:  // translate + scale
303             fuzz->nextRange(&buffer[0], -400.0f, 400.0f);
304             fuzz->nextRange(&buffer[1], -400.0f, 400.0f);
305             fuzz->nextRange(&buffer[2], -4000.0f, 4000.0f);
306             fuzz->nextRange(&buffer[3], -4000.0f, 4000.0f);
307             *m = SkMatrix::MakeScale(buffer[0], buffer[1]);
308             m->postTranslate(buffer[2], buffer[3]);
309             return;
310         case 3:  // affine
311             fuzz->nextN(buffer, 6);
312             m->setAffine(buffer);
313             return;
314         case 4:  // perspective
315             fuzz->nextN(buffer, kArrayLength);
316             m->set9(buffer);
317             return;
318         default:
319             SkASSERT(false);
320             return;
321     }
322 }
323 
FuzzNiceRegion(Fuzz * fuzz,SkRegion * region,int maxN)324 void FuzzNiceRegion(Fuzz* fuzz, SkRegion* region, int maxN) {
325     uint8_t N;
326     fuzz->nextRange(&N, 0, maxN);
327     for (uint8_t i = 0; i < N; ++i) {
328         SkIRect r;
329         SkRegion::Op op;
330         // Avoid the sentinal value used by Region.
331         fuzz->nextRange(&r.fLeft,   -2147483646, 2147483646);
332         fuzz->nextRange(&r.fTop,    -2147483646, 2147483646);
333         fuzz->nextRange(&r.fRight,  -2147483646, 2147483646);
334         fuzz->nextRange(&r.fBottom, -2147483646, 2147483646);
335         r.sort();
336         fuzz->nextRange(&op, 0, SkRegion::kLastOp);
337         if (!region->op(r, op)) {
338             return;
339         }
340     }
341 }
342